1:15 p.m. update: Community Health Systems Inc. hospitals in Lancaster and Cumberland counties were not included in a data breach that affected approximately 4.5 million CHS patients, a local spokeswoman said.

“The recent report regarding the data breach with CHS did not affect Heart of Lancaster Regional Medical Center, Lancaster Regional Medical Center or Carlisle Regional Medical Center or any of their affiliated practices,” Lancaster Regional spokeswoman Danielle Gilmore said in an email this afternoon.

Initial report

Community Health Systems Inc., which owns four hospitals in the midstate, said today in a regulatory filing that its computer network was the target of an external criminal cyberattack that affected approximately 4.5 million patients.

CHS believes the attack occurred in April and June of this year and, according to the filing, confirmed the attack in July. The data transferred was non-medical patient identification data related to the company’s physician practice operations, the filing says, and the 4.5 million people are those who, in the last five years, were referred for or received services from physicians affiliated with the company.

The data did not include patient credit card, medical or clinical information, CHS said, but is considered protected under the Health Insurance Portability and Accountability Act because it includes patient names, addresses, birth dates, telephone numbers and Social Security numbers.

CHS said it "is providing appropriate notification to affected patients and regulatory agencies as required by federal and state law" and "will also be offering identity theft protection services to individuals affected by this attack."

The filing did not offer any further specifics on the patients affected, and comment was not immediately available from the Central Pennsylvania hospitals this morning.

CHS said it engaged forensic expert Mandiant, a FireEye company, and "has worked closely with federal law enforcement authorities in connection with their investigation and possible prosecution of those determined to be responsible for this attack."

CHS and Mandiant "believe the attacker was an 'Advanced Persistent Threat' group originating from China who used highly sophisticated malware and technology to attack the company’s systems," the filing says. "The attacker was able to bypass the company’s security measures and successfully copy and transfer certain data outside the company."

According to federal authorities and Mandiant, the attacker has typically sought valuable intellectual property, such as medical device and equipment development data.

"Immediately prior to the filing of this report, the company completed eradication of the malware from its systems and finalized the implementation of other remediation efforts that are designed to protect against future intrusions of this type," the filing says.

According to the filing, CHS carries cyber and privacy liability insurance "to protect it against certain losses related to matters of this nature."

"While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, the company does not believe this incident will have a material adverse effect on its business or financial results," the filing says.